Versions Compared

Old Version 9

changes.mady.by.user Glen Mazza

Saved on

compared with

New Version 10

changes.mady.by.user David Valeri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When the WS-SecurityPolicy runtime in CXF encounters an IssuedToken assertion in the policy, the runtime requries an instance of org.apache.cxf.ws.security.trust.STSClient to talk to the STS to obtain the required token. Since the STSClient is a WS-SecurityPolicy client, it will need configuration items to be able to create it's secure SOAP messages to talk to the STS.

General Configuration

There are several ways to configure the STSClient:

...

Default configuration:
If an STSClient is not found from the above methods, it then tries to find one configured like the indirect, but with the name "default.sts-client". This can be used to configure sts-clients for multiple services.

WS-Trust 1.4 Support

CXF provides limited support of WS-Trust 1.4. The currently supported features are listed below.

ActAs (2.2.10)

The ActAs capability allows an initiator to request a security token that allows it to act as if it were somebody else. This capability becomes important in composite services where intermediate services make additional requests on-behalf of the true initiator. In this scenario, the relying party (the final destination of an indirect service request) may require information about the true origin of the request. The ActAs capability allows an intermediary to request a token that can convey this information.

The following code fragment demonstrates how to use an interceptor to dynamically set the content of the ActAs element in the STS RST. The value may be a string containing well-formed XML or a DOM Element. The contents will be added to the RST verbatim. Note that this interceptor is applied to the secured client, the initiator, and not to the STSClient's interceptor chain.

Code Block
java
java

public class ActAsOutInterceptor extends AbstractPhaseInterceptor<Message> {
   
    ActAsOutInterceptor () {
        // This can be in any stage before the WS-SP interceptors
        // setup the STS client and issued token interceptor.
        super(Phase.SETUP);
    }

    @Override
    public void handleMessage(Message message) throws Fault {

        message.put(SecurityConstants.STS_TOKEN_ACT_AS, ...);

    }
}

Alternatively, the ActAs content may be set directly on the STS as shown below.

Code Block
xml
xml

<bean name="{http://cxf.apache.org/}TestEndpoint.sts-client" 
    class="org.apache.cxf.ws.security.trust.STSClient" abstract="true">
    <property name="wsdlLocation" value="WSDL/wsdl/trust.wsdl"/>
    <property name="serviceName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/>
    <property name="endpointName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/>
    <property name="actAs" value="..."/>
    <property name="properties">
        <map>
            <entry key="ws-security.sts.token.properties" value="etc/bob.properties"/>  
            <entry key="ws-security.callback-handler" value="interop.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" value="etc/alice.properties"/> 
            <entry key="ws-security.encryption.properties" value="etc/bob.properties"/>	
        </map>
    </property>
</bean>